Equifax data breach hits nearly half of US – and isn’t over yet

Around 143 million people whose data Equifax has collected may have had their social security numbers, names, dates of birth, addresses and, in some cases, drivers’ licence numbers stolen. “The breach seems to mostly impact US customers at present, but I believe it will extend to other countries such as the UK,” says Joe Hancock of law firm Mishcon de Reya.

Advertisement

Although the hacker or hackers had access to the information from mid-May until late July, the company has only revealed the breach now.

“It’s quite horrendous,” says UK security expert Graham Cluley. “If you have people’s contact details, you can begin to contact them posing as different organisations,” he explains.

For example, if your bank routinely asks a security question when you make changes to your account via phone, an identity thief could use the data exposed at Equifax to contact you pretending to be your bank, quote personal information to convince you they are trustworthy, and then ask for the secret answer. Armed with this information, the thief could attempt to access, use and alter your accounts.

Malicious hackers could also simply contact people by email, including the stolen information, to fool them into thinking the message is legitimate. The email might prompt recipients to click on a link that downloads malware to their computer, for example.

A stolen credit card becomes obvious quickly, and there are clear remedies. However, the theft of social security numbers could have worse consequences, as it would allow the thieves to impersonate you to apply for credit cards without your knowledge. And replacing a credit card, password, or even bank account, is far easier than the arduous process of reapplying for a social security number, one of the main and permanent ways the US government keeps track of citizens.

People worried about being targeted by identity thieves can put fraud alerts on their credit reports or sign up for protection with services that offer fraud monitoring. Equifax is offering one such premium service for free, and so are its competitors.

The company has set up a website for customers to enter their social security number to see if they have been affected – but some are experiencing frustration with it. Security researcher and journalist Brian Krebs found that when he entered his own information, he was told to try again on 13 September. He got the same response when entering dummy credentials.

One of the ironies of the incident is that Equifax itself works with companies that have experienced a data breach. “Equifax provides fraud alerts after data breaches, therefore alerts from the service clearly aren’t as useful any more,” says Hancock. “More needs to be done to protect those whose data is lost, as those services themselves become targets.”

There’s a bigger elephant in the room. “By my calculation it’s been 960 hours (40 days) between Equifax finding out about the breach and warning the public,” wrote Cluley on his blog.

A number of outlets have speculated about why it took so long. Equifax says it detected the breach in July. A few days later, a number of executives suddenly sold stock amounting to $1.8 million, according to Bloomberg. “The share sales may indeed not be linked to this breach, but the timing and perception created will likely lead to an investigation by regulators,” says Hancock.

While this is not the biggest data breach to date – one impacting Yahoo customers hit a billion users – the Equifax case is significant because of the sensitivity of the information that may have been stolen.